Apple to launch its first Security Bounty Program

Apple to introduce its first Security Bounty Program

Apple is introducing its security bounty for the first time. This news has come on heels of a presentation at the annual Black Hat USA security conference from Apple’s Ivan Krstic in Las Vegas.

Ivan Krstic runs security engineering and architecture at Apple and he presented an in-depth look at iOS security. This was the first time Apple had appeared at Black Hat in four years.

Superficially, Apple has been more concentrated on discussing its commitment to security because of its battle with the FBI. So Apple is launching its first security bounty program which is going to release this September. This program is going to accept security submission in a huge number of various areas. Researchers and their organizations will be funded more based on the type of exploit found.

The following are the issues and categories to be taken into consideration, along with their bounties:

Execution of arbitrary code with kernel privileges – up to $50,000.

Extraction of confidential material protected by the Secure Enclave Processor – up to $100,000.

Access to sand-boxed processes to user data outside of the sandbox – up to $25,000.

Unauthorized access to iCloud account data on Apple servers – up to $50,000.

Secure boot firmware components – up to $200,000.

Apple offers the amount of money that organizations can accept or they can donate it to a charity of their choice. Apple says that if researchers choose to donate to a charity, they will consider matching that donation.

Apple tells that it may also prize researchers who share critical significant susceptibilities which aren’t outlined before.

This program isn’t open to the public as many security bounty programs are. For now, Apple is partnering with a large number of security researchers and their organizations to concentrate on finding imperfections.

But Apple tells that this is not an exclusive attempt. The plan is to open it up to a greater number of individuals and organizations over time. It also says that if someone is not associated with a welcomed organization responsibly discloses a susceptibility, that welcomes a feedback and they may be provided with an invitation to join the formal process.

Apple says that it has communicated with several other companies who have already run successful security bounties and that advice – which was to initiate small (as to decrease the signal/noise ratio) and then gradually increase – contributed to the decision only to involve a few researchers and organizations in the beginning.

A long time coming

Though it is great that a security bounty is being introduced by Apple, is nothing worth that the company took its time to get here. Almost all the other major tech companies including Google, Facebook, and Microsoft have proposed this security bounty for years.

So what had taken so long?

Apple tells that it has constantly been receiving feedback – from experts inside and outside of the company – that it is more difficult to recognize significant security vulnerabilities without a bounty program, although it has been working with researchers from outside for years.

Finally, the company makes a sense that it may look to outside researchers and organizations for offering their own feedback.

It probably doesn’t matter that the security of Apple is more focused than ever before. With a high concentration on Apple security and a number of people trying to bypass it, irrespective of whether it is hackers or law enforcement, it makes a sense to get it more focused on identifying the mistakes.

I understand the necessity to limit — at least initially — the entanglement in the security bounty program, but I do hope Apple commits to expanding the individuals and groups involved quickly. iOS deserves as many eyes on it as possible as a platform.

For now, the bounty’s focus is on iOS, but Apple says that it is open for expanding the bounty program to other platforms such as macOS and other areas, once the program ramps up.